Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
Published: September 01, 2011
SECURITY IDENTIFIERS
- OSVDB: OSVDB-97854
- Vendor Advisory: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016
GEM
PATCHED VERSIONS
>= 0.9.6
DESCRIPTION
Dragonfly Gem for Ruby contains a flaw that is due to the program failing to properly escape a shell that contains injected characters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
This gem has been renamed. Please use "dragonfly" from now on.
RELATED
- https://github.com/markevans/dragonfly/blob/master/spec/dragonfly/shell_spec.rb#L26
- https://github.com/markevans/dragonfly/pull/506
- https://github.com/markevans/dragonfly/commit/f4f8e37a171a34f0ef3a6d80b52f44ed4d66d3bc
- https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016
- http://osvdb.org/show/osvdb/97854